This article applies to BoKS Manager 6.7.0, 6.7.1 and 7.0.0.

 

Description

 

The UNIX crypt password hash algorithm is considered weak by today's standard. The BoKS CLI command boksauth allows the root user on BoKS Server Agents to view the UNIX crypt password hash of other users on the same host via the boks_servc "user-data" function even if the local password database is configured to use a stronger hash algorithm. User password hashes are also sometimes visible in the debug output from boks_servc.

 

 

Resolution / Workaround

 

To resolve these issues, apply hotfix HFBM-0170 for BoKS 6.7 and HFBM-0187 for BoKS 7.0, available for download from the HelpSystems Community Portal.

 

This hotfix implements a server-side fix for the above problem by disabling distribution of UNIX crypt password hashes via the "user-data" function. The server-side fix only solves the problem for BoKS 6.6 and later. For BoKS 6.5 Server Agents UNIX crypt passwords are required. Local applications may also need UNIX crypt passwords in the local password database.

The hotfix implements a filter for distribution of password hashes via the "user-data" function. The filter is only active if explicitly enabled in the domain. When the filter is enabled the default function is to allow UNIX crypt for BoKS 6.5 Server Agents but not for BoKS 6.6 and later. It is then possible to fine-tune the filter rules per host and/or per user via new flags on the user and host objects.

 

New host flags:

need_crypt

need_crypt_by_user

 

New user flags:

need_crypt

need_crypt_at_host

 

Host flag - need_crypt

If this is set for a host all password hash formats are allowed for all user accounts on the host. The user-data function will work as it does without the hotfix.

 

Host flag - need_crypt_by_user

This flag is used in combination with the user flag need_crypt_at_host, see below.

 

 

User flag - need_crypt

Only UNIX crypt password hash is allowed for this account on all hosts where the user exists, see also note 3 below on boks_clntd password update.

 

User flag - need_crypt_at_host

This is a variant of need_crypt above but this flag is only active on hosts where the host flag need_crypt_by_user is also set.

 

 

BoKS programs updated by this hotfix:

boks_servc

- Added filter for user-data function. Hide password hash in debug output.

bksdef

- New option -K to set global (domain) flag for enable/disable boks_servc user-data filter function, see bksdef (1).

hostadm

- Added two new host flags: need_crypt and need_crypt_by_user.

- New option -v to specify selection criteria for listing host to allow listing of hosts that have need_crypt and/or need_crypt_by_user enabled, see hostadm (1).

mkbks/modbks

- Added two new user flags need_crypt and need_crypt_at_host, see modbks (1).

lsbks

- Added display of the new user flags using -a or -DF/-Df. Added selection criteria to option -V to allow listing of users that have need_crypt and/or need_crypt_at_ host flag enabled, see lsbks (1).

 

 

Note 1

The new host and user flags are implemented by using currently unused flag-bits in the BoKS host and user objects. Some of these flag-bits are reused flag-bits that were used in earlier BoKS versions. If your database is an upgrade from a very early version of BoKS it is possible that these flag-bits are already set on some host/users although not used by your current BoKS version. To check if the new flag-bits are already set in your database do the following:

 

After installing the hotfix but before enabling the UNIX crypt filter run the two commands below. They should not list any host/user.

 

List any hosts with need_crypt or need_crypt_by_user set:

BoKS # hostadm -l -B -vD -vd

 

List any users with need_crypt or need_crypt_at_host flag set:

BoKS # lsbks -VD -Vd

 

Note 2

Changing the UNIX crypt filter configuration for a host does not trigger updates of local password databases.

 

Note 3

Local password database update by boks_clntd.

BoKS 6.6 and later support multiple password hash algorithms. When boks_clntd receives a password update notification it checks the local OS configuration for preferred password hash and tries to retrieve the user password in that hash format from boks_servc. If the requested hash format is not available a fallback to UNIX crypt is done if a UNIX crypt hash is available. This fallback mechanism is used for the user flag rules above to force the local password database to use UNIX crypt for this specific account even if the local configuration is set to some other hash algorithm.

 

Note 4

BoKS 6.6 and later Server Agents that have local OS configured to use UNIX crypt password hash will have local user password hashes invalidated when they are next updated unless the BoKS host or user flags are used to allow UNIX crypt password hash for the host. Thus to avoid unintentionally invalidating local passwords it is recommended to configure all exceptions needed to the default rule of not allowing UNIX crypt for BoKS version >= 6.6 before enabling the UNIX crypt filter with bksdef.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: July 27, 2018